Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 07:06

General

  • Target

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe

  • Size

    314KB

  • MD5

    58b95345f410185e54c32e190c9eec43

  • SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

  • SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

  • SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • SSDEEP

    6144:Z0NtY63xjxc2CiyOyo95ULe2dp8f20xzpIdWO9WbVXfP6do6skevD:Z0PYKxOhooLe2DMIdd9WxfPqo6fevD

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 45 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
    "C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\asferror.exe
      C:\Windows\system32\asferror.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\aadauthhelper.exe
        C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Windows\SysWOW64\AboveLockAppHost.exe
          C:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Windows\SysWOW64\ActivationManager.exe
            C:\Windows\system32\ActivationManager.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5020
            • C:\Windows\SysWOW64\AarSvc.exe
              C:\Windows\system32\AarSvc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2304
              • C:\Windows\SysWOW64\ActionCenterCPL.exe
                C:\Windows\system32\ActionCenterCPL.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2928
                • C:\Windows\SysWOW64\amstream.exe
                  C:\Windows\system32\amstream.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2180
                  • C:\Windows\SysWOW64\AnalogCommonProxyStub.exe
                    C:\Windows\system32\AnalogCommonProxyStub.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1928
                    • C:\Windows\SysWOW64\AcGenral.exe
                      C:\Windows\system32\AcGenral.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:224
                      • C:\Windows\SysWOW64\AcSpecfc.exe
                        C:\Windows\system32\AcSpecfc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4240
                        • C:\Windows\SysWOW64\AboveLockAppHost.exe
                          C:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4820
                          • C:\Windows\SysWOW64\acledit.exe
                            C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4472
                            • C:\Windows\SysWOW64\audiodev.exe
                              C:\Windows\system32\audiodev.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4704
                              • C:\Windows\SysWOW64\accessibilitycpl.exe
                                C:\Windows\system32\accessibilitycpl.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4740
                                • C:\Windows\SysWOW64\adprovider.exe
                                  C:\Windows\system32\adprovider.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
                                  16⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:3148
                                  • C:\Windows\SysWOW64\AppxPackaging.exe
                                    C:\Windows\system32\AppxPackaging.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1992
                                    • C:\Windows\SysWOW64\AcGenral.exe
                                      C:\Windows\system32\AcGenral.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4880
                                      • C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe
                                        C:\Windows\system32\AppInstallerPrompt.Desktop.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:2796
                                        • C:\Windows\SysWOW64\advapi32.exe
                                          C:\Windows\system32\advapi32.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:3356
                                          • C:\Windows\SysWOW64\ActionCenterCPL.exe
                                            C:\Windows\system32\ActionCenterCPL.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:2400
                                            • C:\Windows\SysWOW64\AcXtrnal.exe
                                              C:\Windows\system32\AcXtrnal.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2808
                                              • C:\Windows\SysWOW64\AcSpecfc.exe
                                                C:\Windows\system32\AcSpecfc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2184
                                                • C:\Windows\SysWOW64\aeevts.exe
                                                  C:\Windows\system32\aeevts.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4160
                                                  • C:\Windows\SysWOW64\acledit.exe
                                                    C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1600
                                                    • C:\Windows\SysWOW64\adsldp.exe
                                                      C:\Windows\system32\adsldp.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3720
                                                      • C:\Windows\SysWOW64\aadauthhelper.exe
                                                        C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4960
                                                        • C:\Windows\SysWOW64\aclui.exe
                                                          C:\Windows\system32\aclui.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4172
                                                          • C:\Windows\SysWOW64\AarSvc.exe
                                                            C:\Windows\system32\AarSvc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:700
                                                            • C:\Windows\SysWOW64\acppage.exe
                                                              C:\Windows\system32\acppage.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4996
                                                              • C:\Windows\SysWOW64\archiveint.exe
                                                                C:\Windows\system32\archiveint.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1656
                                                                • C:\Windows\SysWOW64\accountaccessor.exe
                                                                  C:\Windows\system32\accountaccessor.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4984
                                                                  • C:\Windows\SysWOW64\aadauthhelper.exe
                                                                    C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:644
                                                                    • C:\Windows\SysWOW64\accessibilitycpl.exe
                                                                      C:\Windows\system32\accessibilitycpl.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1764
                                                                      • C:\Windows\SysWOW64\AboveLockAppHost.exe
                                                                        C:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2352
                                                                        • C:\Windows\SysWOW64\accountaccessor.exe
                                                                          C:\Windows\system32\accountaccessor.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:404
                                                                          • C:\Windows\SysWOW64\aadauthhelper.exe
                                                                            C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3796
                                                                            • C:\Windows\SysWOW64\acledit.exe
                                                                              C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:3924
                                                                              • C:\Windows\SysWOW64\aclui.exe
                                                                                C:\Windows\system32\aclui.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4280
                                                                                • C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
                                                                                  C:\Windows\system32\AppIdPolicyEngineApi.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3144
                                                                                  • C:\Windows\SysWOW64\ActivationClient.exe
                                                                                    C:\Windows\system32\ActivationClient.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2424
                                                                                    • C:\Windows\SysWOW64\acledit.exe
                                                                                      C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1120
                                                                                      • C:\Windows\SysWOW64\AcLayers.exe
                                                                                        C:\Windows\system32\AcLayers.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:392
                                                                                        • C:\Windows\SysWOW64\advapi32res.exe
                                                                                          C:\Windows\system32\advapi32res.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Adds Run key to start application
                                                                                          • Drops file in System32 directory
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3092
                                                                                          • C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
                                                                                            C:\Windows\system32\AppIdPolicyEngineApi.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32 -m3092:C:\Windows\SysWOW64\advapi32res.exe -sC:\Windows\system32
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4880
                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                            C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Windows\SysWOW64\advapi32res.exe" enable
                                                                                            45⤵
                                                                                            • Modifies Windows Firewall
                                                                                            PID:2796
                                                                                          • C:\Windows\SysWOW64\advapi32res.exe
                                                                                            C:\Windows\SysWOW64\advapi32res.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32 -w3092
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\AarSvc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AarSvc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AarSvc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AarSvc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AboveLockAppHost.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AboveLockAppHost.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AboveLockAppHost.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AboveLockAppHost.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcGenral.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcGenral.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcGenral.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcGenral.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcSpecfc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcSpecfc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcSpecfc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcSpecfc.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcXtrnal.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AcXtrnal.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\ActionCenterCPL.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\ActionCenterCPL.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\ActionCenterCPL.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\ActionCenterCPL.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\ActivationManager.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\ActivationManager.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AnalogCommonProxyStub.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AnalogCommonProxyStub.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AppxPackaging.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\AppxPackaging.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aadauthhelper.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aadauthhelper.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aadauthhelper.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aadauthhelper.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aadauthhelper.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aadauthhelper.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\accessibilitycpl.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\accessibilitycpl.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\accountaccessor.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\accountaccessor.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\acledit.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\acledit.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\acledit.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\acledit.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aclui.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aclui.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\acppage.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\acppage.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\adprovider.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\adprovider.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\adsldp.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\adsldp.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\advapi32.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\advapi32.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aeevts.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\aeevts.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\amstream.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\amstream.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\archiveint.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\archiveint.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\asferror.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\asferror.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\audiodev.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • C:\Windows\SysWOW64\audiodev.exe

    Filesize

    314KB

    MD5

    58b95345f410185e54c32e190c9eec43

    SHA1

    9701ba8e61703060043ba816f4b6fb8ad73b76b2

    SHA256

    9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

    SHA512

    41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

  • memory/224-186-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/404-330-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/404-326-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/404-325-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/644-315-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/700-297-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/904-140-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/904-132-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/904-133-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1600-273-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1600-266-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1600-265-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1656-308-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1764-321-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1764-317-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1764-316-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1928-185-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1928-180-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1928-179-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/1992-229-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2180-178-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2184-257-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2304-168-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2304-163-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2352-324-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2400-250-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2796-236-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2808-251-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2808-256-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2892-145-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2892-139-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2892-138-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/2928-169-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/3148-225-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/3148-219-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/3356-241-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/3720-274-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/3796-329-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/3796-333-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4160-267-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4172-290-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4172-284-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4172-283-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4240-196-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4280-336-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4472-202-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4472-214-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4704-211-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4740-212-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4740-220-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4792-150-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4820-213-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4820-194-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4820-195-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4880-235-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4960-285-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4984-307-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4984-318-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4996-295-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4996-296-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/4996-302-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/5020-162-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/5028-157-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/5028-151-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

  • memory/5028-152-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB